#1 Reason: To provide reasonable assurance that the goals* of each business process are being achieved.
To mitigate the risk that the enterprise will be exposed to some type of harm, danger, or loss (including loss caused by fraud or other intentional and unintentional acts.)
To provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations.
*If there are no goals, there is no need for controls!
Internal Control:
A process-effected by a an entity’s board of directors, management, and other personnel-designed to provide reasonable assurance regarding the achievement of objectives in the following 3 categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
The Committee of Sponsoring Organizations (COSO) has developed a framework for internal controls. This framework includes the following five components:
Control environment - The organizational culture and the foundation for all aspects of internal control.Control Environment Influences
Sets the tone of the organization (tone at the top) which influences the control consciousness of its people
Risk assessment - The consideration of potential events that might prevent the achievement of objectives, which are examined by determining the impact and likelihood of each event.
Forms a basis for determining how risks should be managed
Control activities -Policies and procedures that help ensure that management directives are carried out. This is essentially the internal controls.
Information and communication -Processing of information in a form and time frame that enables people to do their jobs and carry out their responsibilities (must be horizontal and vertical). This involves management effectively communicating about the internal controls.
Monitoring -Process that assess quality of internal control over time.
It is very important to note that this process is ongoing. Monitoring is an important step as it helps management constantly evaluate and make changes as needed to the internal controls. Since business environments constantly change, internal controls must also adapt to the changing needs of the business.
Business Process Control Goals
Control goals of operations processes:
Effectiveness
A measure of success in meeting one or more operations process goals which reflect the criteria used to judge the effectiveness of various business processes
–Ex. Deposit cash receipts on the day received
Efficiency
A measure of the productivity of the resources applied to achieve a set of goals
–Ex. What is the cost of people, computers, and other resources to deposit cash on the day received
Security of resources
–Protecting an organization’s resources from loss, destruction, disclosure, copying, sale, or other misuse
–Ex. Are cash and information resources available when required?
Control goals of information processes:
Input validity (IV)
–Input data is approved and represents actual economic events and objects Ex. Are all cash receipts input into the process supported by valid/authorized customer payments
Input completeness (IC)
–Requires that all valid events or objects be captured and entered into the system –Ex. Are all valid customer payment captured on a customer remittance advice (RA) and entered into the process?
Input accuracy (IA)
–Requires that events be correctly captured and entered into the system (correctly) –Ex. Is correct payment amount and customer number on the RA? –Ex. Is the correct payment amount and customer number keyed into the system?
Update completeness(UC)
–Requires all events entered into the computer are reflected in their respective master data –Ex. Are all input cash receipts recorded in the AR master data?
Update accuracy (UA)
–Requires that data entered into a computer are reflected correctly in their respective master data –Ex. Are all input cash receipts correctly recorded in the AR master data?
The Control Matrix
The goal of the control matrix is to document controls within business processes. For each control, we document the goal(s) that particular control accomplishes. Below is an example of a control matrix where control P1 ensures efficient employment of resources and input accuracy.
Control Goals of the Lenox Cash Receipts Business Process
Ensuresecurity ofresources (e.g.,checks and ARmaster data)
For the remittance adviceinputs, ensure:
For the AR masterdata, ensure:
A
B
IV
IC
IA
UC
UA
P1
P1
P1
M1
A Control Hierarchy
The Control Environment = Internal Environment
What is referred to as a "control environment" under COSO, is commonly referred to as an "internal environment" in conjunction with an ERM.
Corporate culture is determined at the top of the organizational chart.
Sets the tone of an organization, influencing the control consciousness of its people; serves as the foundation for all other components of internal control by providing structure and discipline.
The integrity and ethical values of an organization's people will determine the degree of success or failure of controls.
Pervasive Control Plans (Chapter 8)
Provide a second level of protection.
Relate to a multitude of goals and processes; Like the control environment, they provide a climate or set of surrounding conditions in which the various business processes operate; They are broad in scope and apply equally to all business processes.
Business Process Control Plans (Chapters 9-14)
Provide a third level of protection.
Relate to a specific AIS process or to the technology used to implement the process.
Introduction to Internal Control:
Why Do We Need Controls?
- #1 Reason: To provide reasonable assurance that the goals* of each business process are being achieved.
- To mitigate the risk that the enterprise will be exposed to some type of harm, danger, or loss (including loss caused by fraud or other intentional and unintentional acts.)
- To provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations.
*If there are no goals, there is no need for controls!Internal Control:
A process-effected by a an entity’s board of directors, management, and other personnel-designed to provide reasonable assurance regarding the achievement of objectives in the following 3 categories:
The Committee of Sponsoring Organizations (COSO) has developed a framework for internal controls. This framework includes the following five components:
It is very important to note that this process is ongoing. Monitoring is an important step as it helps management constantly evaluate and make changes as needed to the internal controls. Since business environments constantly change, internal controls must also adapt to the changing needs of the business.
Business Process Control Goals
Control goals of operations processes:
- Effectiveness
- A measure of success in meeting one or more operations process goals which reflect the criteria used to judge the effectiveness of various business processes
- –Ex. Deposit cash receipts on the day received
- Efficiency
- A measure of the productivity of the resources applied to achieve a set of goals
- –Ex. What is the cost of people, computers, and other resources to deposit cash on the day received
- Security of resources
- –Protecting an organization’s resources from loss, destruction, disclosure, copying, sale, or other misuse
- –Ex. Are cash and information resources available when required?
Control goals of information processes:- Input validity (IV)
- –Input data is approved and represents actual economic events and objects Ex. Are all cash receipts input into the process supported by valid/authorized customer payments
- Input completeness (IC)
- –Requires that all valid events or objects be captured and entered into the system –Ex. Are all valid customer payment captured on a customer remittance advice (RA) and entered into the process?
- Input accuracy (IA)
- –Requires that events be correctly captured and entered into the system (correctly) –Ex. Is correct payment amount and customer number on the RA? –Ex. Is the correct payment amount and customer number keyed into the system?
- Update completeness(UC)
- –Requires all events entered into the computer are reflected in their respective master data –Ex. Are all input cash receipts recorded in the AR master data?
- Update accuracy (UA)
- –Requires that data entered into a computer are reflected correctly in their respective master data –Ex. Are all input cash receipts correctly recorded in the AR master data?
The Control MatrixThe goal of the control matrix is to document controls within business processes. For each control, we document the goal(s) that particular control accomplishes. Below is an example of a control matrix where control P1 ensures efficient employment of resources and input accuracy.
(with controls)
A Control Hierarchy